Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Auditbeat] Cherry-pick #9327 to 6.x: Login metricset #10509

Merged
merged 5 commits into from
Feb 4, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff]
- Add system module. {pull}9546[9546]
- System module `process` dataset: Add user information to processes. {pull}9963[9963]
- Add system `package` dataset. {pull}10225[10225]
- Add system module `login` dataset. {pull}9327[9327]

*Filebeat*

Expand Down
35 changes: 35 additions & 0 deletions auditbeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -3724,6 +3724,41 @@ These are the fields generated by the system module.




*`event.origin`*::
+
--
type: keyword

Origin of the event. This can be a file path (e.g. `/var/log/log.1`), or the name of the system component that supplied the data (e.g. `netlink`).


--

*`event.outcome`*::
+
--
type: keyword

example: success

The outcome of the event.
If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.


--


*`user.terminal`*::
+
--
type: keyword

Terminal of the user.


--

[float]
== system.audit fields

Expand Down
7 changes: 7 additions & 0 deletions x-pack/auditbeat/auditbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,7 @@ auditbeat.modules:
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- login # User logins, logouts, and system boots.
- package # Installed, updated, and removed packages
- process # Started and stopped processes
- socket # Opened and closed sockets
Expand All @@ -134,6 +135,12 @@ auditbeat.modules:
# detect any changes.
user.detect_password_changes: true

# File patterns of the login record files.
# wtmp: History of successful logins, logouts, and system shutdowns and boots.
# btmp: Failed login attempts.
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*

#================================ General ======================================

# The name of the shipper that publishes the network data. It can be used to group
Expand Down
5 changes: 5 additions & 0 deletions x-pack/auditbeat/auditbeat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ auditbeat.modules:
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- login # User logins, logouts, and system boots.
- package # Installed, updated, and removed packages
- process # Started and stopped processes
- socket # Opened and closed sockets
Expand All @@ -65,6 +66,10 @@ auditbeat.modules:
# detect any changes.
user.detect_password_changes: true

# File patterns of the login record files.
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*

#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 3
Expand Down
11 changes: 11 additions & 0 deletions x-pack/auditbeat/docs/modules/system.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ sample suggested configuration.
- module: system
datasets:
- host
- login
- package
- process
- socket
Expand Down Expand Up @@ -87,6 +88,7 @@ so a longer polling interval can be used.
- module: system
datasets:
- host
- login
- package
- user
period: 1m
Expand All @@ -113,6 +115,7 @@ auditbeat.modules:
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- login # User logins, logouts, and system boots.
- package # Installed, updated, and removed packages
- process # Started and stopped processes
- socket # Opened and closed sockets
Expand All @@ -127,6 +130,10 @@ auditbeat.modules:
# /etc/passwd and /etc/shadow and store a hash locally to
# detect any changes.
user.detect_password_changes: true

# File patterns of the login record files.
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
----

[float]
Expand All @@ -136,6 +143,8 @@ The following datasets are available:

* <<{beatname_lc}-dataset-system-host,host>>

* <<{beatname_lc}-dataset-system-login,login>>

* <<{beatname_lc}-dataset-system-package,package>>

* <<{beatname_lc}-dataset-system-process,process>>
Expand All @@ -146,6 +155,8 @@ The following datasets are available:

include::system/host.asciidoc[]

include::system/login.asciidoc[]

include::system/package.asciidoc[]

include::system/process.asciidoc[]
Expand Down
21 changes: 21 additions & 0 deletions x-pack/auditbeat/docs/modules/system/login.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
////
This file is generated! See scripts/docs_collector.py
////

[id="{beatname_lc}-dataset-system-login"]
=== System login dataset

include::../../../module/system/login/_meta/docs.asciidoc[]


==== Fields

For a description of each field in the dataset, see the
<<exported-fields-system,exported fields>> section.

Here is an example document generated by this dataset:

[source,json]
----
include::../../../module/system/login/_meta/data.json[]
----
1 change: 1 addition & 0 deletions x-pack/auditbeat/include/list.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions x-pack/auditbeat/module/system/_meta/config.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
{{ if eq .GOOS "linux" -}}
- login # User logins, logouts, and system boots.
{{- end }}
{{ if ne .GOOS "windows" -}}
- package # Installed, updated, and removed packages
{{- end }}
Expand Down Expand Up @@ -38,3 +41,13 @@
# detect any changes.
user.detect_password_changes: true
{{- end }}

{{ if eq .GOOS "linux" -}}
# File patterns of the login record files.
{{- if .Reference }}
# wtmp: History of successful logins, logouts, and system shutdowns and boots.
# btmp: Failed login attempts.
{{- end }}
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
{{- end }}
2 changes: 2 additions & 0 deletions x-pack/auditbeat/module/system/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ sample suggested configuration.
- module: system
datasets:
- host
- login
- package
- process
- socket
Expand Down Expand Up @@ -82,6 +83,7 @@ so a longer polling interval can be used.
- module: system
datasets:
- host
- login
- package
- user
period: 1m
Expand Down
35 changes: 32 additions & 3 deletions x-pack/auditbeat/module/system/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,36 @@
These are the fields generated by the system module.
release: experimental
fields:
- name: system.audit
type: group

- name: event
type: group
fields:
- name: origin
type: keyword
description: >
fields:
Origin of the event. This can be a file path (e.g. `/var/log/log.1`),
or the name of the system component that supplied the data (e.g. `netlink`).
- name: outcome
type: keyword
description: >
The outcome of the event.

If the event describes an action, this fields contains the outcome of
that action. Examples outcomes are `success` and `failure`. Warning: In
future versions of ECS, we plan to provide a list of acceptable values
for this field, please use with caution.

example: success

- name: user
type: group
fields:
- name: terminal
type: keyword
description: >
Terminal of the user.

- name: system.audit
type: group
description: >
fields:
2 changes: 1 addition & 1 deletion x-pack/auditbeat/module/system/fields.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

30 changes: 30 additions & 0 deletions x-pack/auditbeat/module/system/login/_meta/data.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"@timestamp": "2017-10-12T08:05:34.853Z",
"agent": {
"hostname": "host.example.com",
"name": "host.example.com"
},
"event": {
"action": "user_login",
"dataset": "login",
"kind": "event",
"module": "system",
"origin": "/var/log/wtmp.1",
"outcome": "success"
},
"message": "Login by user vagrant (UID: 1000) on pts/1 (PID: 17559) from 10.0.2.2 (IP: 10.0.2.2)",
"process": {
"pid": 17559
},
"service": {
"type": "system"
},
"source": {
"ip": "10.0.2.2"
},
"user": {
"id": 1000,
"name": "vagrant",
"terminal": "pts/1"
}
}
7 changes: 7 additions & 0 deletions x-pack/auditbeat/module/system/login/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
[role="xpack"]

experimental[]

This is the `login` dataset of the system module.

It is implemented for Linux only.
20 changes: 20 additions & 0 deletions x-pack/auditbeat/module/system/login/config.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
cwurm marked this conversation as resolved.
Show resolved Hide resolved
// or more contributor license agreements. Licensed under the Elastic License;
// you may not use this file except in compliance with the Elastic License.

// +build linux

package login

// config defines the metricset's configuration options.
type config struct {
WtmpFilePattern string `config:"login.wtmp_file_pattern"`
BtmpFilePattern string `config:"login.btmp_file_pattern"`
}

func defaultConfig() config {
return config{
WtmpFilePattern: "/var/log/wtmp*",
BtmpFilePattern: "/var/log/btmp*",
}
}
Loading